When consent purposes or third parties change, existing consent is invalidated

Why it matters

GDPR Art. 7(3) and Art. 13(3) require fresh consent whenever the purposes or conditions of processing change materially. A user who consented to analytics-only cookies in January did not consent to session recording you added in March. If the stored consent record has no version, your application cannot distinguish old consent from new consent — and will treat the January acceptance as valid for the March tracking, which it is not. This is a silent compliance gap: nothing breaks, but every user who visited before your tracking expansion is being processed without valid consent for the new purposes.

Remediation

Implement versioned consent checks that re-show the banner when the stored version does not match the current consent notice version. Bump the version every time new tracking tools or purposes are added.

// lib/consent.ts
export const CURRENT_CONSENT_VERSION = '2026-02-01'
// Increment this date each time you add new tracking tools or purposes

export function hasValidConsent(): boolean {
  const stored = localStorage.getItem('gdpr_consent_v1')
  if (!stored) return false
  const record = JSON.parse(stored) as { consentVersion?: string }
  if (record.consentVersion !== CURRENT_CONSENT_VERSION) {
    localStorage.removeItem('gdpr_consent_v1')  // invalidate outdated consent
    return false
  }
  return true
}

// In ConsentBanner useEffect:
// useEffect(() => { if (!hasValidConsent()) setVisible(true) }, [])

Maintain a changelog of consent notice versions in docs/consent-changelog.md: "2026-02-01: Added Hotjar session recording". Each entry requires a version bump and re-consent for all users.

Detection

ID: gdpr-readiness.consent-management.re-consent-on-change
Severity: low
What to look for: Look for a versioning mechanism on the consent notice. When you add a new tracking tool, a new cookie category, or change what existing cookies do, users who previously consented to an older version of the notice must be re-shown the consent banner to get fresh consent. Check whether the stored consent record includes a consent version (date or version string). Check whether the application compares the stored consent version against the current consent notice version on page load and re-triggers the banner when they differ. Common pattern: a CONSENT_VERSION constant that is bumped when the consent notice changes, compared against the version stored in localStorage or the database. Count all instances found and enumerate each.
Pass criteria: Consent records include a version identifier. On page load, the stored consent version is compared to the current consent notice version. If they differ (outdated consent), the consent banner is re-shown. The consent version is bumped whenever new tracking tools or purposes are added. At least 1 implementation must be confirmed.
Fail criteria: Consent is stored as a boolean with no version. New tracking tools added without triggering re-consent. No mechanism to invalidate old consent when the notice changes. Consent version never changes.
Skip (N/A) when: Application has no consent mechanism and no non-essential cookies. Or application is static and the consent notice has never changed since launch.
Detail on fail: Example: "Consent stored as boolean in localStorage with no version. Adding new analytics tool to the site would not trigger re-consent for users who previously accepted.".

Remediation: Implement versioned consent checks:

// lib/consent.ts
export const CURRENT_CONSENT_VERSION = '2026-02-01'
// Bump this date whenever you add new tracking tools, cookies, or purposes

export function hasValidConsent(): boolean {
  const stored = localStorage.getItem('gdpr_consent_v1')
  if (!stored) return false // No consent on record — show banner

  const record = JSON.parse(stored) as { consentVersion?: string }
  if (record.consentVersion !== CURRENT_CONSENT_VERSION) {
    // Outdated consent — clear it and re-prompt the user
    localStorage.removeItem('gdpr_consent_v1')
    return false
  }
  return true
}

// In ConsentBanner useEffect:
// useEffect(() => { if (!hasValidConsent()) setVisible(true) }, [])

Maintain a changelog of consent notice versions: "2026-02-01: Added Hotjar session recording". Each entry requires a version bump and re-consent for all users.

Why it matters

Remediation

// lib/consent.ts
export const CURRENT_CONSENT_VERSION = '2026-02-01'
// Increment this date each time you add new tracking tools or purposes

export function hasValidConsent(): boolean {
  const stored = localStorage.getItem('gdpr_consent_v1')
  if (!stored) return false
  const record = JSON.parse(stored) as { consentVersion?: string }
  if (record.consentVersion !== CURRENT_CONSENT_VERSION) {
    localStorage.removeItem('gdpr_consent_v1')  // invalidate outdated consent
    return false
  }
  return true
}

// In ConsentBanner useEffect:
// useEffect(() => { if (!hasValidConsent()) setVisible(true) }, [])

Maintain a changelog of consent notice versions in docs/consent-changelog.md: "2026-02-01: Added Hotjar session recording". Each entry requires a version bump and re-consent for all users.

Detection

ID: gdpr-readiness.consent-management.re-consent-on-change
Severity: low
What to look for: Look for a versioning mechanism on the consent notice. When you add a new tracking tool, a new cookie category, or change what existing cookies do, users who previously consented to an older version of the notice must be re-shown the consent banner to get fresh consent. Check whether the stored consent record includes a consent version (date or version string). Check whether the application compares the stored consent version against the current consent notice version on page load and re-triggers the banner when they differ. Common pattern: a CONSENT_VERSION constant that is bumped when the consent notice changes, compared against the version stored in localStorage or the database. Count all instances found and enumerate each.
Pass criteria: Consent records include a version identifier. On page load, the stored consent version is compared to the current consent notice version. If they differ (outdated consent), the consent banner is re-shown. The consent version is bumped whenever new tracking tools or purposes are added. At least 1 implementation must be confirmed.
Fail criteria: Consent is stored as a boolean with no version. New tracking tools added without triggering re-consent. No mechanism to invalidate old consent when the notice changes. Consent version never changes.
Skip (N/A) when: Application has no consent mechanism and no non-essential cookies. Or application is static and the consent notice has never changed since launch.
Detail on fail: Example: "Consent stored as boolean in localStorage with no version. Adding new analytics tool to the site would not trigger re-consent for users who previously accepted.".

Remediation: Implement versioned consent checks:

// lib/consent.ts
export const CURRENT_CONSENT_VERSION = '2026-02-01'
// Bump this date whenever you add new tracking tools, cookies, or purposes

export function hasValidConsent(): boolean {
  const stored = localStorage.getItem('gdpr_consent_v1')
  if (!stored) return false // No consent on record — show banner

  const record = JSON.parse(stored) as { consentVersion?: string }
  if (record.consentVersion !== CURRENT_CONSENT_VERSION) {
    // Outdated consent — clear it and re-prompt the user
    localStorage.removeItem('gdpr_consent_v1')
    return false
  }
  return true
}

// In ConsentBanner useEffect:
// useEffect(() => { if (!hasValidConsent()) setVisible(true) }, [])

Maintain a changelog of consent notice versions: "2026-02-01: Added Hotjar session recording". Each entry requires a version bump and re-consent for all users.

When consent purposes or third parties change, existing consent is invalidated

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

When consent purposes or third parties change, existing consent is invalidated

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History